Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by thexerteproject
CVE-2026-34413 (GCVE-0-2026-34413)
Vulnerability from cvelistv5 – Published: 2026-04-22 18:33 – Updated: 2026-04-23 16:25
VLAI?
Title
Xerte Online Toolkits Missing Authentication via connector.php
Summary
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thexerteproject | xerteonlinetoolkits |
Affected:
3.15.0
(semver)
Affected: 3.14.0 (semver) Affected: 3.13.0 (semver) Affected: 0 , < 02661be88cc369325ea01b508086bde7fbfec805 (git) Affected: 0 , < 17e4f945fe6a3400fa88c01eda18c1075ee4a212 (git) Affected: 0 , < 507d55c5e91bf9310b5b1c7fad8aebfef902ad23 (git) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:02:47.014600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T16:25:24.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "xerteonlinetoolkits",
"repo": "https://github.com/thexerteproject/xerteonlinetoolkits",
"vendor": "thexerteproject",
"versions": [
{
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.13.0",
"versionType": "semver"
},
{
"lessThan": "02661be88cc369325ea01b508086bde7fbfec805",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThan": "17e4f945fe6a3400fa88c01eda18c1075ee4a212",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThan": "507d55c5e91bf9310b5b1c7fad8aebfef902ad23",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bootstrapbool"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.\u003cbr\u003e"
}
],
"value": "Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:33:44.084Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"
},
{
"tags": [
"product",
"permissions-required"
],
"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-missing-authentication-via-connector-php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Xerte Online Toolkits Missing Authentication via connector.php",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-34413",
"datePublished": "2026-04-22T18:33:44.084Z",
"dateReserved": "2026-03-27T15:24:06.752Z",
"dateUpdated": "2026-04-23T16:25:24.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34415 (GCVE-0-2026-34415)
Vulnerability from cvelistv5 – Published: 2026-04-22 18:33 – Updated: 2026-04-22 19:29
VLAI?
Title
Xerte Online Toolkits File Upload RCE via elfinder Connector
Summary
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
Severity ?
9.8 (Critical)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thexerteproject | xerteonlinetoolkits |
Affected:
3.15.0
(semver)
Affected: 3.14.0 (semver) Affected: 3.13.0 (semver) Affected: 0 , < 02661be88cc369325ea01b508086bde7fbfec805 (git) Affected: 0 , < 17e4f945fe6a3400fa88c01eda18c1075ee4a212 (git) Affected: 0 , < 507d55c5e91bf9310b5b1c7fad8aebfef902ad23 (git) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T19:29:01.840102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T19:29:58.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "xerteonlinetoolkits",
"repo": "https://github.com/thexerteproject/xerteonlinetoolkits",
"vendor": "thexerteproject",
"versions": [
{
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.13.0",
"versionType": "semver"
},
{
"lessThan": "02661be88cc369325ea01b508086bde7fbfec805",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThan": "17e4f945fe6a3400fa88c01eda18c1075ee4a212",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThan": "507d55c5e91bf9310b5b1c7fad8aebfef902ad23",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bootstrapbool"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.\u003cbr\u003e"
}
],
"value": "Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:33:17.741Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"
},
{
"tags": [
"product",
"permissions-required"
],
"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connector"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Xerte Online Toolkits File Upload RCE via elfinder Connector",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-34415",
"datePublished": "2026-04-22T18:33:17.741Z",
"dateReserved": "2026-03-27T15:24:06.752Z",
"dateUpdated": "2026-04-22T19:29:58.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34414 (GCVE-0-2026-34414)
Vulnerability from cvelistv5 – Published: 2026-04-22 18:32 – Updated: 2026-04-22 18:53
VLAI?
Title
Xerte Online Toolkits Path Traversal via connector.php
Summary
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thexerteproject | xerteonlinetoolkits |
Affected:
3.15.0
(semver)
Affected: 3.14.0 (semver) Affected: 3.13.0 (semver) Affected: 0 , < 02661be88cc369325ea01b508086bde7fbfec805 (git) Affected: 0 , < 17e4f945fe6a3400fa88c01eda18c1075ee4a212 (git) Affected: 0 , < 507d55c5e91bf9310b5b1c7fad8aebfef902ad23 (git) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:53:40.512844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:53:47.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "xerteonlinetoolkits",
"repo": "https://github.com/thexerteproject/xerteonlinetoolkits",
"vendor": "thexerteproject",
"versions": [
{
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.14.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.13.0",
"versionType": "semver"
},
{
"lessThan": "02661be88cc369325ea01b508086bde7fbfec805",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThan": "17e4f945fe6a3400fa88c01eda18c1075ee4a212",
"status": "affected",
"version": "0",
"versionType": "git"
},
{
"lessThan": "507d55c5e91bf9310b5b1c7fad8aebfef902ad23",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bootstrapbool"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.\u003cbr\u003e"
}
],
"value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:34:11.379Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"
},
{
"tags": [
"product",
"permissions-required"
],
"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-traversal-via-connector-php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Xerte Online Toolkits Path Traversal via connector.php",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-34414",
"datePublished": "2026-04-22T18:32:45.737Z",
"dateReserved": "2026-03-27T15:24:06.752Z",
"dateUpdated": "2026-04-22T18:53:47.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41459 (GCVE-0-2026-41459)
Vulnerability from cvelistv5 – Published: 2026-04-22 18:32 – Updated: 2026-04-23 14:13
VLAI?
Title
Xerte Online Toolkits Path Disclosure via /setup
Summary
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thexerteproject | xerteonlinetoolkits |
Affected:
3.15.0
(semver)
Affected: 0 , < f063e942b4a9bf77a06829e844c2c70316bc45e8 (git) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:13:11.664023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:13:26.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "xerteonlinetoolkits",
"repo": "https://github.com/thexerteproject/xerteonlinetoolkits",
"vendor": "thexerteproject",
"versions": [
{
"status": "affected",
"version": "3.15.0",
"versionType": "semver"
},
{
"lessThan": "f063e942b4a9bf77a06829e844c2c70316bc45e8",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bootstrapbool"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.\u003cbr\u003e"
}
],
"value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:34:33.485Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"
},
{
"tags": [
"product",
"permissions-required"
],
"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Xerte Online Toolkits Path Disclosure via /setup",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-41459",
"datePublished": "2026-04-22T18:32:26.272Z",
"dateReserved": "2026-04-20T16:07:47.310Z",
"dateUpdated": "2026-04-23T14:13:26.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}